 Welcome back to the Cyber Underground. I'm your host Dave Stevens. I am the Cyber Guy. Welcome back. I've missed you. We had a break. Had to come back. December's a busy month. With me here today, president of the ISC Two Chapter in Hawaii, Jeff Milford. Thank you. Welcome, sir, my co-host today. Thanks for having me. We're going to be talking about all kinds of stuff. Let's get started with the title of the show, North Korea. North Korea. Again. Our favorite bad actor. That's true. We call these the people on the internet that do wrong things bad actors. Yeah, people on the network that you're always looking for to try to stop. North Korea's one of our favorites. Why? Because they have unlimited time and unlimited resources to do whatever they want. Yeah. Don't feed the citizens. Spend money on training bad actors. Exactly. And then you can... Because there's profit in that. And you can get Bitcoin. Yes. So they... My God. The stuff they do... Now, the reason I bring this up is because we get the warnings all the time from the U.S. Cybersecurity Emergency Response Team, my computer emergency response readiness team. Sorry, SIRT. And InfraGuard locally gives us these warnings. And one of the ones that came out with a new North Korea attack. Now, just so the audience knows, North Korea out there is... I don't know what camera to put to. Where am I pointing to? North Korea is known as Hidden Cobra to our intelligence community. So North Korea, Hidden Cobra came out with Bankshot, which is... It's hard to explain. You want to help me try to explain to our audience what an interproxy advanced persistent threat is? It uses obfuscation. So you have a network, right? And they send you some malware. And you click on something and it installs a proxy. A proxy somewhere on your network, you know nothing about that has a passage in from the outside and usually has a passage to the outside from the inside. So it's a pivot point, but through your network. So they're using that proxy to obfuscate themselves or hide themselves from illegal activity as they exit your network. They're using you as the fingerprints in the crime. And they don't just do it once. They do it multiple times. And every time they go from network to network from proxy to proxy, that's one hop, a network hop. And there might be some other routers and switches in between. So those are all hops. But the more hops you get between the criminal and the crime, the harder it is to find forensically the criminal. And they're trying this. This is what's called bank shot. And it's also called an advanced persistent threat. Why don't you walk us through an advanced persistent threat and APT? Complex topic. Long live threats that are very, very difficult to find. And the bad actors have been upping their games. You know, in the old days, you could look at phishing emails and find misspellings and stupid things like that. And nowadays they're getting a lot more sophisticated. They're finding different ways to exfiltrate data. They're using Dropbox at times. I think I heard that they were using LinkedIn as a place where they could go to pick up the data that was exfiltrated by the malware that was written. The creativity is just absolutely amazing. And I wouldn't say we're defenseless for companies, not as, but for the people on the street. And granted, they're not typically targets of bad actors, advanced persistent threats. They're more the target of criminals and whatnot. But one of the things I've been thinking about with North Korea is, when are we going to strike back? Because at a certain point, you can't allow this to continue happening. So do we know that we have like an army? Do we know that we haven't though? It's not like the US would attack and tell us, Hey, guess what? We just attacked them. We don't we're not going to admit to what we do or do not have. Right. So we could be have that ability to be doing that now. Stuxnet. Stuxnet. Yeah. But that was we were we explain that to the audience because they might not be up on Stuxnet. Stuxnet was supposedly written by the Israelis. We had a hand in accomplishing the goal. But it went into, I can't remember Iran, the centrifuges on Iran's nuclear plant. And it spun them up so that they all blew up. Right. It spun them too fast. Right. Right. Unfortunately, it got into the wild, which is always a problem with these these things. You cannot control them. They jump from network to network. And Stuxnet caused some some difficulties for other people. You bring up a really good point. So when we're talking about just, you know, biomed, right, people want to know how to cure diseases. So they keep copies of the diseases samples, right in secure areas. So let's talk about, you know, anthrax, right, which just happened to accidentally get mailed to a lab that didn't order it a few years ago. So a virulent copy of this this anthrax went to a lab that said, Why are you sending us anthrax? Yeah, we're not equipped for anthrax. And that's a problem, right? So the same thing happens when we stockpile these viruses and these tools and pieces of malware that have been created. People break in the NSA tools, right? And they get posted by other bad actors on the internet. And then those tools get sold. And they can use they can be used for first strike weapons against anybody, not just companies and people, but countries. And so Stuxnet Stuxnet I think showed us that a piece of computer malware can get into a motorized device of PLC programmer, logic circuit or circuit logic, and, and also SCADA controls, right, which, which control things like hydraulics and doors and all the things that robots can do. And when malware power stations and power stations and water supplies and water supplies, right? And when when you talk about being able to knock out things like that with viruses, kind of scary. You know, we as humans, I think are inherently lazy. And we want everything done for us. So we will work all day and night to automate something. And to automate something, we also want to work from home. So we put it all on the internet. And now we've kind of made our bed and we have to sleep in it. And North Korea knows that. And other bad actors who I won't name right now, also know that. And we seem to just be ratcheting up the pressure on North Korea, who can't get money. So the way they get money is they go out and they steal it. And the internet is a perfect way to do this. So the last suspect we had was the Swift Network on between banks, right, how they move money back and forth. The latest theory from our intelligence communities that North Korea hacked that stuck, or stuck Swift and and made it so they took a few pennies out of every transaction. And they had planned on getting almost a trillion dollars, but they only got 80 billion before the whole thing was shut down. That's still a lot of money. That's a lot of coin for countries is not getting much money. And all of a sudden they got all this money. Coincidentally, right after that, they started making really good missiles, really good missiles and supposedly some payloads for them. Yeah, that makes me nervous. A little bit. Yeah, because our anti missile system, I think is only 50% accurate. I heard 25, one out of four. Really? So I got to flip the coin twice and pray. And wow, okay, well, thank goodness Hawaii is a little blip in the middle of the Pacific. And sorry, mainland. My wife, you're the target asking what we're going to do. If a missile comes in, and we keep a bottle of champagne in the refrigerator, pop open the champagne, go out to the forge, enjoy the sunrise, whatever's going on yet. Because really, you're on an island. Sorry to say. Yeah, very well defended island. True from most conventional attacks, not a missile. I don't think that's going to be the first the warfare though. I mean, everyone's talking about cyber war. Yeah. And truly, it could be happening right now, we could not know it. You know, it could happen because of these advanced persistent threats. The worst ones are, of course, they enter your network, they place something there that they can use later. It's completely innocuous to your sensors. So you don't pick it up until the time they activate it, and it goes to work for you. It's like a sleeper agent in all those old spy movies, right? They just sit there waiting for you or scanning your network. Yeah, to get the call. Like, Charles Bronson gives you a call, right? Right, right. Oh, that was great. You were now active. Destroyed. And you can use multiple networks together to perform something. So people like you and I, who do security were constantly scanning for what they call the signatures of these advanced. Signatures and the behaviors. Right, both port access. Signatures often are a reactive way to deal with things, because first somebody has to write the first somebody has to identify the threat, and find a way to usually hash a numerical. Let's explain that. That's a really good one. So we take like an exe file, the executable file that we know is malware, and we run an algorithm against it. And the result of that algorithm is called a hash, which is a numerical sequence of like 256 bytes. But it's unique to that particular executable file. So we can scan our network and do a hash algorithm against every single file we encounter with an exe on it. And if we match those two hashes, we know that is an advanced persistent threat, we can block it, we can destroy it, we can isolate it, right. But that's like you said, it's reactive, we have to know it's out there first, then create the signature for a for a company with intrusion detection systems and things like that, you have to subscribe to the feeds, so that you get that intelligence, the threat intelligence described that for us for audience again. So there are companies that are actively pursuing these threats and identifying them and creating the hashes and then pushing them out, you subscribe to a feed, pushing them out to companies, you import them into your appliances, your devices. And they then use those and those are still reactive, but they're usually pretty current. They're much better than what I want to say better than antivirus. Some companies are pretty good about that. But the whole thing is if somebody in England gets it, and you're on the network and you get the feed, you're ready for that signature before it hits your network. So it's better than nothing. Oh, it's way better than prevent what they call a zero day, which is the first time an attack happens and no one's seen it before and no one's been able to identify. It's never been reported, never been never reported. So this is not a zero day prevention, but it's better than nothing. And most of our systems, if you subscribe to their feed like Cisco, it's automatic, it's applied, right? And so the very next sweep that signatures added to that sweep, so you're checking again. Usually that doesn't even slow down your network. No, yeah, it allows traffic to continue while it sweeps constantly. These kind of automated systems save our bacon. Yeah, I've been working with with them a lot at this, the new job. And it all goes back to the defense in depth. You cannot depend on any one device you need multiple ones. It's like at home, I can use my anti virus, but I also have a malware program. And there are some things that one program finds that the other doesn't. And that's why you have security and layers defense in depth. So you have your perimeter fencing, you've got your front door with a lock, you've got door inside, you got Graham upstairs with a shotgun. Everybody's playing a part. And if you get through one layer, there's another layer waiting for you, right? And sometimes that doesn't prevent the attack. But is it deterrent? Yeah, it depends on how badly they want. It's like a thief breaking into your house. If you have lights on a dog nearby, the doors are all locked. They're going to move on to an easier target, typically. Yeah, your neighbor who's on vacation at the garage door, looking at all the newspapers on the porch, the house is dark. Typically, the thieves are going to go there. But you throw a bunch of defenses that they have to keep defeating. It really has to be worth their while, which is why nation state attacks like hidden cobra can be so bad, because you have all the defenses in the world, but they have all the time, all the resources and all the resources throw out. And people I don't think realize that if you're just one person, you might not think of yourself as a target. But if you work for a company and you have a position of some kind of authority in that company, and you can do a key activity in that company, you might actually be a target. If someone wants to take down a power grid and you work at the power station, and you have access to the power grid controls through your network account, you might be a good target because it's easier to get malware onto your personal laptop or your cell phone than it is to attack the power station. Oh, very nice. Yeah, you don't want to storm the front gate to the castle. Yeah. You go get the cook on the outside and have him smuggle you in the back door, right? That's the best way. And a lot of what we hear about the big things like the target breach is hackers trying to get inside a company. But more often than not, it's these phishing attempts that are succeeding, whether you're an individual or a company. Because once you click on that link, you've brought the malware in for them. You bypassed the security system. It's exactly right. You know, when we come back from the break, we're going to discuss the phishing attacks, the difference between personal and corporate phishing attacks, spear phishing, whaling, and some of the new ones that the FBI just warned us about through our U.S. Cert and InfraGuard. Okay, we're going to take a break, pay some bills, we'll be right back until then, Stacy. Hi, guys. It's RV Kelly. I'm your host of Ad in the Comfort Zone, where I find cool people with cool solutions to problems that all of us face. Now, the thing is, we're really cool. And I only invite really cool people. But the thing is, I think you're kind of cool too. So I think you should come and watch that Thursdays at 11 a.m. here on OC16 television with Think Tech Hawaii. I'm RV Kelly, host of Ad in the Comfort Zone, and I will see you next Thursday. Welcome back. I hope you enjoyed the commercial break. I know I did. It was highly entertaining. I'm Dave Stevens. I'm your host of the Cyber Underground. And we're going to change topics now. We were talking about Hidden Cobra in North Korea and Bankshot, the latest North Korea bad state actor. And now we're going to shift into some email scamming, especially now during the holiday season, people are always victims of shopping scams. And a new one just came out as a warning from the FBI about three different shopping shipping attempts for phishing emails. Let's talk about that. You've got the same warning I did apparently. I haven't read it. I came out early this morning, I think, or yesterday morning. And it was apparently three different emails that they've identified that get sent to people. And this is the time you're doing shopping. So almost everybody is getting something shipped to them or to somebody else. And even UPS, I signed up for UPS, if someone's shipping something to me, I get notification. It's going to be here in this little window of time. Please be home because you have to sign for it because, you know, most of mine are alcohol, so I got to sign for it. So an ID. Hidden drunk, you know. And so I expect these emails anyway. So now I have to closely inspect them because all of them contain a link. Yeah. Click here to check on the status. And what can that do to us? That leads to very bad things. Describe some of the bad things for us. Some of the bad things. Keystroke lockers, maybe not as popular as some of the other malware, but if you want somebody to be able to tell everything that you type on your machine when you're logging into various banking accounts, all that gets captured and sent back to the mothership while aware of different types of ransom where, of course, that we've heard so much about. That's very popular now. Yeah, ransomware. So that was the want to cry attack, which is now being blamed on Tom. Is it bozzard? The Homeland Security Advisor to President Trump has actually come out publicly and said, No, that was North Korea. We have evidence. The UK has provided evidence. We're not going to show you, of course, but we have evidence. And so we need to believe. But that was apparently North Korea. And the funny thing about that want to cry is I was all ransomware and they all wanted you to pay a little bit of money to unlock your data. But it was like 300 bucks. So they only made maybe 20, 30, 40, 50 grand on the whole attack, but they got, you know, what, a couple of million computers in 150 different countries. Yeah, but that's just one variant. Just one variant of ransomware. Could it be that they were just testing this out? Probably. And the distraction was, Hey, it's a ransomware, but it really did take down the national healthcare system in the UK. Oh yeah, the NHS N8S. I can't even speak. If that happens again, take over for me. The entity that control right the entity that controls the medical services in the UK pretty much got taken down mostly because they were running Windows seven and Windows or Microsoft said, Oh, we know this is coming. So we're going to patch this in advance. But they didn't do the end of life computers. So Windows seven had already passed its prime. But NHS and HS and UK hadn't upgraded yet. Well, and remember what happened in China with all the should I call them bootleg machines unregistered? I think you could say that here. There's the thing about the ransomware to show what a threat it is is that there are criminal organizations that have a help desk. You can actually call them and say the encryption key I bought from you doesn't work. And sometimes it'll actually help you get your data back. So that's how much money there because they have a reputation to protect, right? They want people to know that if you pay us the ransom, we're going to give you your data back. Why is it the criminals have a better help desk system than AT&T? They get paid better. It's not about the stock price. Customer customer giving them money. So that shows how much money there is to be made by all these variants. But the thing that gets me is when WannaCry came out, Microsoft patched for that two months earlier. Yeah. The fact that people got hit by it as much Microsoft used to have a really bad reputation for patches. Sometimes patches would break things. Nowadays, it's not so much. That's a bad to me. It's a sucker bet not to do that. I mean, you can set it to automatic and it'll take care of that. Granted, there are end of life operating systems. Like if you've got a Windows XP system that's connected to the no more bad just coming out. Yeah. Why? Yeah. Why are you doing that? Well, it's good to do that because if you do not pay attention, accidentally, it happens to us all. We've only had a one cup of coffee in the morning and we click on that link and go. Yeah. But if you've patched your system, it's very likely that the ransomware will not get your computer. Do you have some defense and death? Mm hmm. But if you've already clicked on the link. Unplugging the network cable is not going to do anything for that machine. No, it's going to protect any other machines that you have in your house because it spreads because it spreads spreads via the network. Right. But it boggles my mind. I work with some vendors that I say, when do you issue patches as needed? Okay, how do you define as needed? Because Microsoft puts out at easily 10 security patches every patch Tuesday, the second Tuesday of every month. That's patched. Microsoft and Adobe is in the same date. They patch their stuff at the same time too. So I just, I look at these vendors and they say, well, you know, we look at them and we make a determination. And I'm looking at these vendors saying the determination is if it's hit mainstream media and everybody knows about WannaCry, then you say, ah, you know, maybe we should patch our application or something. The Microsoft is ahead of the game and you have to appreciate that. It is nice. And again, defense and depth will help with a lot of these things too. But the patching is one of the biggest. I think it's no longer a decision about when you should apply it. It's always, I should apply that as soon as I can. Exactly. I think, unfortunately, there's some people that run applications so long on their network, custom applications, they need to have Internet Explorer eight or nine. Otherwise, that web application fails. They have to have SQL Server 2008, you know, for that application to run. So they fail to update because they don't want to update their application. That costs a lot of money. So you gotta make a decision though, because especially if you're handling financial transactions, right? If you have credit card numbers, credit card companies will charge you, I think 75 cents. If you got breached, 75 cents for every credit card number that got taken off your network, X-filled, right? One person can have multiple numbers. And you're getting charged multiple times for each customer. And if you have a million customers, that's 75 cents. This is why one breach can wipe out a small business. And that's the thing. What's the mentality that, you know, let's bring in a contractor, somebody who knows his old stuff and have them fix it for us? Yeah. Or do we take a risk that we hose our business and it goes away? The one thing people can do for the ransomware is how many people back up their systems. That's the only way to recover. Oh, unless you're backing up. Here's the thing. If you're backing up and you have like an external hard drive or something like that, unplug that. Unplug it. Don't leave that plug. Ladies and gentlemen, do not leave your backup drive plugged in. I think mine's actually plugged in right now. I'm a hypocrite. Don't do what I do. Unplug that drive. Unplug it only when you do the backups because if you get hit with ransomware and your drive is plugged in, what happens? It's going to treat it just like network drive and it's going to encrypt that drive. Right. And then there goes your backup. Then there goes your backup. Thankfully, I don't think that can happen in the cloud. So if you have an automatic cloud backup. No, that's not going to happen. No. So the cloud vendors are thank you, God, they're really doing a good job. Amazon, Google, Microsoft, Azure, they've come way up to speed. They're following the new NIST rules for the DOD, the 800-53 rules a lot of times, which is if you got there into your research, that's a lot of control checks to put on your network. They handle tempest controls and employment. They don't hire non-use citizens a lot of time. It's a pretty serious security and defense in depth. And it's reasonably priced. Nearly everybody has somebody in their family that understands this. Yeah. So that's not an excuse. You have automatic built-in tech support a lot of times. Exactly. As we both know. Yes. We're the tech support. But you know what? I have a 12-year-old person in my family who could probably do just as well with this cloud backup stuff. They understand it. It's like they grew up with this stuff. It's just magical. Oh yeah, I know what that is. My friend who had his business on a thumb drive. And the thumb drive crashed. Oh. It couldn't be read. Oh. So he took it to a local company. And they took it apart. Oh. There are no moving parts. Yes. There's no reason to take it apart. Just a circuit board. And a plug. Yeah. So he gave it to me and I'd mess with it and tried to do some tricks, you know, some drive utilities and stuff. Yeah. And I said, okay, here's a deal. You're an Apple guy. Right. Yeah. iCloud. Right. Yeah. iCloud comes automatically and for free. I'll set you guys up and you won't have to ever worry about it again. Yeah. And if you, they give you a certain amount of storage for free. But it's really inexpensive for the next, I think I pay 99 cents a month for my storage and I get 50 gigabytes. That's a heck of a lot of data. I mean, I gotta go way out of my way to put 50 gigabytes in the cloud and I do some experimental stuff with virtual machines. So, you know, I've got a lot of data. But yeah, it's a really good backup and they keep it somewhat secure and it's more secure than my system. Yeah. And I think people got to realize nothing's ever totally secure. Right. But they're more secure than others. People will store their tax returns, pictures that mean a lot to them. And this is valuable. It may not rise to the value of company Coke secret recipe or things like that. But to these individuals, it's really important to them. So, protect it. You know, that's, let's change gears and you got a good segue here. What's the difference between attacking a person versus a corporation in an email phishing attack? I don't see one. You're after individuals. Yeah. It's a psychological game. To see who's going to both click on the right. The goals, the same. It get malware or something on the computer. Maybe in a business, it's a little more aggressive malware designed to be a little more stealthy maybe. But it's still the same idea. It's to get people to click a link. And I, my mother-in-law told me about 15 years ago that her internet was slow. And I thought to myself, she was an older woman. And I thought, what does she know from slow internet? And my brother-in-law told me, he says, well, you know what happened is people got conditioned to a response time from the TV remote. When you use a TV remote, things happen immediately. So, when you are clicking around with your mouse, you expect that same kind of response time. And I thought, that's really reasonable. Yeah. I can see that. So, people have to take some of the responsibility, protect yourself, the defense in depth, run your updates, make sure your antivirus software is being updated, the malware signatures for the malware product you're using, that gets updated as well. Most of that is built into Microsoft, right? Take a minute. The defender, right? Yeah. Yeah, it's built in. Okay, we got to wrap it up. But let's go on a rant really quick. It does take 20 seconds and we're talking about cell phones. And I told you, I got caught in the whole Apple iPhone battery scam. Right, we're not guaranteeing you to update. No, we're protecting the battery. We're protecting the battery. So, if you see this episode on the web, everybody, please go in there and comment. Tell us what you think about Apple. Now, in lawsuits currently, already class action lawsuits filed in Chicago and a couple of other places against Apple for slowing down phones and they're calling it breach of contract because they didn't tell them, they didn't tell us, I had an iPhone 6 also, that they were going to slow down the iPhone. So, let us know what you think. We really want to know. And also, the point I was making with the mouse clicking is take a minute. Look at an email. Look at who it's from. Don't click right away. Hover over the link. See if it goes to what you think it says. Don't be in such a hurry. I still get phished from people I worked with 15 years ago who have hacked emails. They don't want to change their emails because they've had them forever. We got to come on two weeks from now. We're back on the show. Let's do this again. OK. All right. Sounds good. Thanks for being with us, everybody. More good news every time you watch. OK. We'll see you next week on the Cyber Underground. Until then, stay safe.